mirror of
https://github.com/github/codeql.git
synced 2026-04-29 18:55:14 +02:00
Java: Query for detecting JEXL injections
This commit is contained in:
Artem Smotrakov
@@ -0,0 +1,46 @@
|
||||
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
|
||||
<qhelp>
|
||||
|
||||
<overview>
|
||||
<p>
|
||||
Java EXpression Language (JEXL) is a simple expression language
|
||||
provided by the Apache Commons JEXL library.
|
||||
The syntax is close to a mix of ECMAScript and shell-script.
|
||||
The language allows invocation of methods available in the JVM.
|
||||
If a JEXL expression is built using attacker-controlled data,
|
||||
and then evaluated, then it may allow the attacker to run arbitrary code.
|
||||
</p>
|
||||
</overview>
|
||||
|
||||
<recommendation>
|
||||
<p>
|
||||
Including user input in a JEXL expression should be avoided.
|
||||
</p>
|
||||
</recommendation>
|
||||
|
||||
<example>
|
||||
<p>
|
||||
The following example uses untrusted data to build and run a JEXL expression.
|
||||
</p>
|
||||
<sample src="UnsafeJexlExpressionEvaluation.java" />
|
||||
</example>
|
||||
|
||||
<references>
|
||||
<li>
|
||||
Apache Commons JEXL:
|
||||
<a href="https://commons.apache.org/proper/commons-jexl/">Project page</a>.
|
||||
</li>
|
||||
<li>
|
||||
Apache Commons JEXL documentation:
|
||||
<a href="https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/">JEXL 2.1.1 API</a>.
|
||||
</li>
|
||||
<li>
|
||||
Apache Commons JEXL documentation:
|
||||
<a href="https://commons.apache.org/proper/commons-jexl/apidocs/index.html">JEXL 3.1 API</a>.
|
||||
</li>
|
||||
<li>
|
||||
OWASP:
|
||||
<a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
|
||||
</li>
|
||||
</references>
|
||||
</qhelp>
|
||||
@@ -0,0 +1,19 @@
|
||||
/**
|
||||
* @name Expression language injection (Jexl)
|
||||
* @description Evaluation of a user-controlled Jexl expression
|
||||
* may lead to arbitrary code execution.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id java/jexl-expression-injection
|
||||
* @tags security
|
||||
* external/cwe/cwe-094
|
||||
*/
|
||||
|
||||
import java
|
||||
import JexlInjectionLib
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Jexl injection from $@.", source.getNode(), "this user input"
|
||||
@@ -0,0 +1,440 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to construct and evaluate a Jexl expression.
|
||||
* It supports both Jexl2 and Jexl3.
|
||||
*/
|
||||
class JexlInjectionConfig extends TaintTracking::Configuration {
|
||||
JexlInjectionConfig() { this = "JexlInjectionConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source instanceof RemoteFlowSource or
|
||||
source instanceof UserInput or
|
||||
source instanceof EnvInput
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
creatingTaintedJexlExpression(node1, node2) or
|
||||
creatingTaintedJexlTemplate(node1, node2) or
|
||||
creatingTaintedJexlScript(node1, node2) or
|
||||
creatingTaintedJexlCallable(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink for Expresssion Language injection vulnerabilities via Jexl,
|
||||
* i.e. methods that run evaluation of a Jexl expression.
|
||||
*/
|
||||
class JexlEvaluationSink extends DataFlow::ExprNode {
|
||||
JexlEvaluationSink() {
|
||||
isJexlExpressionEvaluationCall(asExpr()) or
|
||||
isJexlTemplateEvaluationCall(asExpr()) or
|
||||
isJexlScriptExecuteCall(asExpr()) or
|
||||
isJexlGetSetPropertyCall(asExpr()) or
|
||||
isCallableCall(asExpr())
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node1` to `node2` is a dataflow step that creates a Jexl expression.
|
||||
*/
|
||||
predicate creatingTaintedJexlExpression(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodAccess ma, Method m | ma.getMethod() = m |
|
||||
(
|
||||
m instanceof JxltEngineCreateExpressionMethod or
|
||||
m instanceof UnifiedJexlParseMethod or
|
||||
m instanceof JexlEngineCreateExpressionMethod
|
||||
) and
|
||||
ma.getAnArgument().getType() instanceof TypeString and
|
||||
ma.getAnArgument() = node1.asExpr() and
|
||||
node2.asExpr() = ma
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node1` to `node2` is a dataflow step that creates a Jexl expression.
|
||||
*/
|
||||
predicate creatingTaintedJxltEngineExpression(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodAccess ma, Method m | ma.getMethod() = m |
|
||||
(m instanceof JxltEngineCreateExpressionMethod or m instanceof UnifiedJexlParseMethod) and
|
||||
ma.getAnArgument().getType() instanceof TypeString and
|
||||
ma.getAnArgument() = node1.asExpr() and
|
||||
node2.asExpr() = ma
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node1` to `node2` is a dataflow step that creates a Jexl template.
|
||||
*/
|
||||
predicate creatingTaintedJexlTemplate(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodAccess ma, Method m | ma.getMethod() = m |
|
||||
(m instanceof JxltEngineCreateTemplateMethod or m instanceof UnifiedJexlCreateTemplateMethod) and
|
||||
(
|
||||
isCreateTemplateSourceArg(ma, 0, node1.asExpr()) or
|
||||
isCreateTemplateSourceArg(ma, 1, node1.asExpr())
|
||||
) and
|
||||
node2.asExpr() = ma
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if:
|
||||
* - `expr` is an argument with the `index`
|
||||
* - `expr` is a string or an instance of `Reader`
|
||||
*/
|
||||
predicate isCreateTemplateSourceArg(MethodAccess ma, int index, Expr expr) {
|
||||
(
|
||||
ma.getArgument(index).getType() instanceof TypeString or
|
||||
ma.getArgument(index).getType() instanceof Reader
|
||||
) and
|
||||
ma.getArgument(index) = expr
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node1` to `node2` is a dataflow step that creates a Jexl script.
|
||||
*/
|
||||
predicate creatingTaintedJexlScript(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodAccess ma, Method m | ma.getMethod() = m |
|
||||
m instanceof JexlEngineCreateScriptMethod and
|
||||
ma.getArgument(0).getType() instanceof TypeString and
|
||||
ma.getArgument(0) = node1.asExpr() and
|
||||
node2.asExpr() = ma
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node1` to `node2` is a dataflow step
|
||||
* that creates a callable from a Jexl expression or script.
|
||||
*/
|
||||
predicate creatingTaintedJexlCallable(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodAccess ma, Method m | ma.getMethod() = m |
|
||||
(m instanceof JexlExpressionCallableMethod or m instanceof JexlScriptCallableMethod) and
|
||||
ma.getQualifier() = node1.asExpr() and
|
||||
node2.asExpr() = ma
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `expr` is a call to one of the methods that execute a Jexl script.
|
||||
*/
|
||||
predicate isJexlScriptExecuteCall(Expr expr) {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
m instanceof JexlScriptExecuteMethod and
|
||||
ma.getQualifier() = expr
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `expr` is a call of the `Callable.call()` method.
|
||||
*/
|
||||
predicate isCallableCall(Expr expr) {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
m instanceof CallableCallMethod and
|
||||
ma.getQualifier() = expr
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `expr` is an argument in a call to one of the methods
|
||||
* that get or set a property via a Jexl expression.
|
||||
*/
|
||||
predicate isJexlGetSetPropertyCall(Expr expr) {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
(m instanceof JexlEngineGetPropertyMethod or m instanceof JexlEngineSetPropertyMethod) and
|
||||
ma.getAnArgument().getType() instanceof TypeString and
|
||||
ma.getAnArgument() = expr
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `expr` is a call to one of the methods that trigger evaluation of a Jexl expression.
|
||||
*/
|
||||
predicate isJexlExpressionEvaluationCall(Expr expr) {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
(
|
||||
m instanceof JexlExpressionEvaluateMethod or
|
||||
m instanceof JxltEngineExpressionEvaluateMethod or
|
||||
m instanceof JxltEngineExpressionPrepareMethod or
|
||||
m instanceof UnifiedJexlExpressionEvaluateMethod or
|
||||
m instanceof UnifiedJexlExpressionPrepareMethod
|
||||
) and
|
||||
ma.getQualifier() = expr
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `expr` is a call to one of the methods that evaluates a Jexl template.
|
||||
*/
|
||||
predicate isJexlTemplateEvaluationCall(Expr expr) {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
(
|
||||
m instanceof JxltEngineTemplateEvaluateMethod or
|
||||
m instanceof UnifiedJexlTemplateEvaluateMethod
|
||||
) and
|
||||
ma.getQualifier() = expr
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JexlExpression class that evaluates a Jexl expression.
|
||||
*/
|
||||
class JexlExpressionEvaluateMethod extends Method {
|
||||
JexlExpressionEvaluateMethod() {
|
||||
getDeclaringType() instanceof JexlExpression and
|
||||
hasName("evaluate")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JexlEngine class that creates a Jexl expression.
|
||||
*/
|
||||
class JexlEngineCreateExpressionMethod extends Method {
|
||||
JexlEngineCreateExpressionMethod() {
|
||||
getDeclaringType() instanceof JexlEngine and
|
||||
hasName("createExpression")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JexlEngine class that gets a property with a Jexl expression.
|
||||
*/
|
||||
class JexlEngineGetPropertyMethod extends Method {
|
||||
JexlEngineGetPropertyMethod() {
|
||||
getDeclaringType() instanceof JexlEngine and
|
||||
hasName("getProperty")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JexlEngine class that sets a property with a Jexl expression.
|
||||
*/
|
||||
class JexlEngineSetPropertyMethod extends Method {
|
||||
JexlEngineSetPropertyMethod() {
|
||||
getDeclaringType() instanceof JexlEngine and
|
||||
hasName("setProperty")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JexlEngine class that creates a Jexl script.
|
||||
*/
|
||||
class JexlEngineCreateScriptMethod extends Method {
|
||||
JexlEngineCreateScriptMethod() {
|
||||
getDeclaringType() instanceof JexlEngine and
|
||||
hasName("createScript")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JexlScript class that executes a Jexl script.
|
||||
*/
|
||||
class JexlScriptExecuteMethod extends Method {
|
||||
JexlScriptExecuteMethod() {
|
||||
getDeclaringType() instanceof JexlScript and
|
||||
hasName("execute")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JexlScript class that creates a Callable for a Jexl expression.
|
||||
*/
|
||||
class JexlExpressionCallableMethod extends Method {
|
||||
JexlExpressionCallableMethod() {
|
||||
getDeclaringType() instanceof JexlExpression and
|
||||
hasName("callable")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JexlScript class that creates a Callable for a Jexl script.
|
||||
*/
|
||||
class JexlScriptCallableMethod extends Method {
|
||||
JexlScriptCallableMethod() {
|
||||
getDeclaringType() instanceof JexlScript and
|
||||
hasName("callable")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the Callable class that executes the Callable.
|
||||
*/
|
||||
class CallableCallMethod extends Method {
|
||||
CallableCallMethod() {
|
||||
getDeclaringType() instanceof CallableInterface and
|
||||
hasName("call")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JxltEngine class that creates an expression.
|
||||
*/
|
||||
class JxltEngineCreateExpressionMethod extends Method {
|
||||
JxltEngineCreateExpressionMethod() {
|
||||
getDeclaringType() instanceof JxltEngine and
|
||||
hasName("createExpression")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JxltEngine class that creates a template.
|
||||
*/
|
||||
class JxltEngineCreateTemplateMethod extends Method {
|
||||
JxltEngineCreateTemplateMethod() {
|
||||
getDeclaringType() instanceof JxltEngine and
|
||||
hasName("createTemplate")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JxltEngine.Expression class that evaluates an expression.
|
||||
*/
|
||||
class JxltEngineExpressionEvaluateMethod extends Method {
|
||||
JxltEngineExpressionEvaluateMethod() {
|
||||
getDeclaringType() instanceof JxltEngineExpression and
|
||||
hasName("evaluate")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JxltEngine.Expression class that evaluates the immediate sub-expressions.
|
||||
*/
|
||||
class JxltEngineExpressionPrepareMethod extends Method {
|
||||
JxltEngineExpressionPrepareMethod() {
|
||||
getDeclaringType() instanceof JxltEngineExpression and
|
||||
hasName("prepare")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the JxltEngine.Template class that evaluates a template.
|
||||
*/
|
||||
class JxltEngineTemplateEvaluateMethod extends Method {
|
||||
JxltEngineTemplateEvaluateMethod() {
|
||||
getDeclaringType() instanceof JxltEngineTemplate and
|
||||
hasName("evaluate")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the UnifiedJEXL class that creates an expression.
|
||||
*/
|
||||
class UnifiedJexlParseMethod extends Method {
|
||||
UnifiedJexlParseMethod() {
|
||||
getDeclaringType() instanceof UnifiedJexl and
|
||||
hasName("parse")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the UnifiedJEXL class that creates a template.
|
||||
*/
|
||||
class UnifiedJexlCreateTemplateMethod extends Method {
|
||||
UnifiedJexlCreateTemplateMethod() {
|
||||
getDeclaringType() instanceof UnifiedJexl and
|
||||
hasName("createTemplate")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the UnifiedJEXL.Expression class that evaluates a template.
|
||||
*/
|
||||
class UnifiedJexlExpressionEvaluateMethod extends Method {
|
||||
UnifiedJexlExpressionEvaluateMethod() {
|
||||
getDeclaringType() instanceof UnifiedJexlExpression and
|
||||
hasName("evaluate")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the UnifiedJEXL.Expression class that evaluates the immediate sub-expressions.
|
||||
*/
|
||||
class UnifiedJexlExpressionPrepareMethod extends Method {
|
||||
UnifiedJexlExpressionPrepareMethod() {
|
||||
getDeclaringType() instanceof UnifiedJexlExpression and
|
||||
hasName("prepare")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A method in the UnifiedJEXL.Template class that evaluates a template.
|
||||
*/
|
||||
class UnifiedJexlTemplateEvaluateMethod extends Method {
|
||||
UnifiedJexlTemplateEvaluateMethod() {
|
||||
getDeclaringType() instanceof UnifiedJexlTemplate and
|
||||
hasName("evaluate")
|
||||
}
|
||||
}
|
||||
|
||||
class JexlExpression extends RefType {
|
||||
JexlExpression() {
|
||||
hasQualifiedName("org.apache.commons.jexl3", "JexlExpression") or
|
||||
hasQualifiedName("org.apache.commons.jexl2", "Expression")
|
||||
}
|
||||
}
|
||||
|
||||
class JexlScript extends RefType {
|
||||
JexlScript() {
|
||||
hasQualifiedName("org.apache.commons.jexl3", "JexlScript") or
|
||||
hasQualifiedName("org.apache.commons.jexl2", "Script")
|
||||
}
|
||||
}
|
||||
|
||||
class JexlEngine extends RefType {
|
||||
JexlEngine() {
|
||||
hasQualifiedName("org.apache.commons.jexl3", "JexlEngine") or
|
||||
hasQualifiedName("org.apache.commons.jexl2", "JexlEngine")
|
||||
}
|
||||
}
|
||||
|
||||
class JxltEngine extends RefType {
|
||||
JxltEngine() { hasQualifiedName("org.apache.commons.jexl3", "JxltEngine") }
|
||||
}
|
||||
|
||||
class UnifiedJexl extends RefType {
|
||||
UnifiedJexl() { hasQualifiedName("org.apache.commons.jexl2", "UnifiedJEXL") }
|
||||
}
|
||||
|
||||
class JxltEngineExpression extends NestedType {
|
||||
JxltEngineExpression() {
|
||||
getEnclosingType() instanceof JxltEngine and
|
||||
hasName("Expression")
|
||||
}
|
||||
}
|
||||
|
||||
class JxltEngineTemplate extends NestedType {
|
||||
JxltEngineTemplate() {
|
||||
getEnclosingType() instanceof JxltEngine and
|
||||
hasName("Template")
|
||||
}
|
||||
}
|
||||
|
||||
class UnifiedJexlExpression extends NestedType {
|
||||
UnifiedJexlExpression() {
|
||||
getEnclosingType() instanceof UnifiedJexl and
|
||||
hasName("Expression")
|
||||
}
|
||||
}
|
||||
|
||||
class UnifiedJexlTemplate extends NestedType {
|
||||
UnifiedJexlTemplate() {
|
||||
getEnclosingType() instanceof UnifiedJexl and
|
||||
hasName("Template")
|
||||
}
|
||||
}
|
||||
|
||||
class CallableInterface extends RefType {
|
||||
CallableInterface() {
|
||||
getSourceDeclaration()
|
||||
.getASourceSupertype*()
|
||||
.hasQualifiedName("java.util.concurrent", "Callable")
|
||||
}
|
||||
}
|
||||
|
||||
class Reader extends RefType {
|
||||
Reader() { hasQualifiedName("java.io", "Reader") }
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
public void evaluate(Socket socket) throws IOException {
|
||||
try (BufferedReader reader = new BufferedReader(
|
||||
new InputStreamReader(socket.getInputStream()))) {
|
||||
|
||||
String input = reader.readLine();
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlExpression expression = jexl.createExpression(input);
|
||||
JexlContext context = new MapContext();
|
||||
expression.evaluate(context);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,120 @@
|
||||
import org.apache.commons.jexl2.*;
|
||||
|
||||
import java.io.StringWriter;
|
||||
import java.net.ServerSocket;
|
||||
import java.net.Socket;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
public class Jexl2Injection {
|
||||
|
||||
private static void runJexlExpression(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
Expression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
Expression e = jexl.createExpression(
|
||||
jexlExpr, new DebugInfo("unknown", 0, 0));
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlScript(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
Script script = jexl.createScript(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
script.execute(jc);
|
||||
}
|
||||
|
||||
private static void runJexlScriptViaCallable(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
Script script = jexl.createScript(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
|
||||
try {
|
||||
script.callable(jc).call();
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
jexl.getProperty(new Object(), jexlExpr);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
jexl.setProperty(new Object(), jexlExpr, new Object());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
|
||||
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
|
||||
unifiedJEXL.parse(jexlExpr).prepare(new MapContext());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
|
||||
unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
|
||||
}
|
||||
|
||||
private static void testWithSocket(Consumer<String> action) throws Exception {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
String jexlExpr = new String(bytes, 0, n);
|
||||
action.accept(jexlExpr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// below are tests for the query
|
||||
|
||||
public static void testWithJexlExpressionEvaluate() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpression);
|
||||
}
|
||||
|
||||
public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionWithJexlInfo);
|
||||
}
|
||||
|
||||
public static void testWithJexlScriptExecute() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlScript);
|
||||
}
|
||||
|
||||
public static void testWithJexlScriptCallable() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlScriptViaCallable);
|
||||
}
|
||||
|
||||
public static void testWithJexlEngineGetProperty() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaGetProperty);
|
||||
}
|
||||
|
||||
public static void testWithJexlEngineSetProperty() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaSetProperty);
|
||||
}
|
||||
|
||||
public static void testWithUnifiedJEXLParseAndEvaluate() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndEvaluate);
|
||||
}
|
||||
|
||||
public static void testWithUnifiedJEXLParseAndPrepare() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndPrepare);
|
||||
}
|
||||
|
||||
public static void testWithUnifiedJEXLTemplateEvaluate() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLTemplateEvaluate);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,135 @@
|
||||
import java.io.StringWriter;
|
||||
import java.net.ServerSocket;
|
||||
import java.net.Socket;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.apache.commons.jexl3.*;
|
||||
|
||||
public class Jexl3Injection {
|
||||
|
||||
private static void runJexlExpression(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlExpression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlScript(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlScript script = jexl.createScript(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
script.execute(jc);
|
||||
}
|
||||
|
||||
private static void runJexlScriptViaCallable(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlScript script = jexl.createScript(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
|
||||
try {
|
||||
script.callable(jc).call();
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
jexl.getProperty(new Object(), jexlExpr);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
jexl.setProperty(new Object(), jexlExpr, new Object());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JxltEngine jxlt = jexl.createJxltEngine();
|
||||
jxlt.createExpression(jexlExpr).evaluate(new MapContext());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JxltEngine jxlt = jexl.createJxltEngine();
|
||||
jxlt.createExpression(jexlExpr).prepare(new MapContext());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JxltEngine jxlt = jexl.createJxltEngine();
|
||||
jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaCallable(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlExpression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
|
||||
try {
|
||||
e.callable(jc).call();
|
||||
} catch (Exception ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
}
|
||||
|
||||
private static void testWithSocket(Consumer<String> action) throws Exception {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
String jexlExpr = new String(bytes, 0, n);
|
||||
action.accept(jexlExpr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// below are tests for the query
|
||||
|
||||
public static void testWithJexlExpressionEvaluate() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpression);
|
||||
}
|
||||
|
||||
public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionWithJexlInfo);
|
||||
}
|
||||
|
||||
public static void testWithJexlScriptExecute() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlScript);
|
||||
}
|
||||
|
||||
public static void testWithJexlScriptCallable() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlScriptViaCallable);
|
||||
}
|
||||
|
||||
public static void testWithJexlEngineGetProperty() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaGetProperty);
|
||||
}
|
||||
|
||||
public static void testWithJexlEngineSetProperty() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaSetProperty);
|
||||
}
|
||||
|
||||
public static void testWithJxltEngineExpressionEvaluate() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionEvaluate);
|
||||
}
|
||||
|
||||
public static void testWithJxltEngineExpressionPrepare() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionPrepare);
|
||||
}
|
||||
|
||||
public static void testWithJxltEngineTemplateEvaluate() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineTemplateEvaluate);
|
||||
}
|
||||
|
||||
public static void testWithJexlExpressionCallable() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaCallable);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,180 @@
|
||||
edges
|
||||
| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | Jexl2Injection.java:14:9:14:9 | e |
|
||||
| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | Jexl2Injection.java:22:9:22:9 | e |
|
||||
| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | Jexl2Injection.java:29:9:29:14 | script |
|
||||
| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | Jexl2Injection.java:38:13:38:31 | callable(...) |
|
||||
| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | Jexl2Injection.java:46:40:46:47 | jexlExpr |
|
||||
| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | Jexl2Injection.java:51:40:51:47 | jexlExpr |
|
||||
| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | Jexl2Injection.java:57:9:57:35 | parse(...) |
|
||||
| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | Jexl2Injection.java:63:9:63:35 | parse(...) |
|
||||
| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | Jexl2Injection.java:69:9:69:44 | createTemplate(...) |
|
||||
| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:78:31:78:38 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
|
||||
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:10:43:10:57 | jexlExpr : String |
|
||||
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
|
||||
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:17:55:17:69 | jexlExpr : String |
|
||||
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
|
||||
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:25:39:25:53 | jexlExpr : String |
|
||||
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
|
||||
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:32:50:32:64 | jexlExpr : String |
|
||||
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
|
||||
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:44:57:44:71 | jexlExpr : String |
|
||||
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
|
||||
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:49:57:49:71 | jexlExpr : String |
|
||||
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
|
||||
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:54:73:54:87 | jexlExpr : String |
|
||||
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
|
||||
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:60:72:60:86 | jexlExpr : String |
|
||||
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
|
||||
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:66:73:66:87 | jexlExpr : String |
|
||||
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
|
||||
| Jexl3Injection.java:10:43:10:57 | jexlExpr : String | Jexl3Injection.java:14:9:14:9 | e |
|
||||
| Jexl3Injection.java:17:55:17:69 | jexlExpr : String | Jexl3Injection.java:21:9:21:9 | e |
|
||||
| Jexl3Injection.java:24:39:24:53 | jexlExpr : String | Jexl3Injection.java:28:9:28:14 | script |
|
||||
| Jexl3Injection.java:31:50:31:64 | jexlExpr : String | Jexl3Injection.java:37:13:37:31 | callable(...) |
|
||||
| Jexl3Injection.java:43:57:43:71 | jexlExpr : String | Jexl3Injection.java:45:40:45:47 | jexlExpr |
|
||||
| Jexl3Injection.java:48:57:48:71 | jexlExpr : String | Jexl3Injection.java:50:40:50:47 | jexlExpr |
|
||||
| Jexl3Injection.java:53:74:53:88 | jexlExpr : String | Jexl3Injection.java:56:9:56:39 | createExpression(...) |
|
||||
| Jexl3Injection.java:59:73:59:87 | jexlExpr : String | Jexl3Injection.java:62:9:62:39 | createExpression(...) |
|
||||
| Jexl3Injection.java:65:72:65:86 | jexlExpr : String | Jexl3Injection.java:68:9:68:37 | createTemplate(...) |
|
||||
| Jexl3Injection.java:71:54:71:68 | jexlExpr : String | Jexl3Injection.java:77:13:77:26 | callable(...) |
|
||||
| Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:89:31:89:38 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:97:24:97:56 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:101:24:101:68 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:105:24:105:52 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:109:24:109:63 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:113:24:113:70 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:117:24:117:70 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:121:24:121:87 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:125:24:125:86 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:129:24:129:85 | jexlExpr : String |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:133:24:133:67 | jexlExpr : String |
|
||||
| Jexl3Injection.java:97:24:97:56 | jexlExpr : String | Jexl3Injection.java:10:43:10:57 | jexlExpr : String |
|
||||
| Jexl3Injection.java:97:24:97:56 | jexlExpr : String | Jexl3Injection.java:97:24:97:56 | jexlExpr : String |
|
||||
| Jexl3Injection.java:101:24:101:68 | jexlExpr : String | Jexl3Injection.java:17:55:17:69 | jexlExpr : String |
|
||||
| Jexl3Injection.java:101:24:101:68 | jexlExpr : String | Jexl3Injection.java:101:24:101:68 | jexlExpr : String |
|
||||
| Jexl3Injection.java:105:24:105:52 | jexlExpr : String | Jexl3Injection.java:24:39:24:53 | jexlExpr : String |
|
||||
| Jexl3Injection.java:105:24:105:52 | jexlExpr : String | Jexl3Injection.java:105:24:105:52 | jexlExpr : String |
|
||||
| Jexl3Injection.java:109:24:109:63 | jexlExpr : String | Jexl3Injection.java:31:50:31:64 | jexlExpr : String |
|
||||
| Jexl3Injection.java:109:24:109:63 | jexlExpr : String | Jexl3Injection.java:109:24:109:63 | jexlExpr : String |
|
||||
| Jexl3Injection.java:113:24:113:70 | jexlExpr : String | Jexl3Injection.java:43:57:43:71 | jexlExpr : String |
|
||||
| Jexl3Injection.java:113:24:113:70 | jexlExpr : String | Jexl3Injection.java:113:24:113:70 | jexlExpr : String |
|
||||
| Jexl3Injection.java:117:24:117:70 | jexlExpr : String | Jexl3Injection.java:48:57:48:71 | jexlExpr : String |
|
||||
| Jexl3Injection.java:117:24:117:70 | jexlExpr : String | Jexl3Injection.java:117:24:117:70 | jexlExpr : String |
|
||||
| Jexl3Injection.java:121:24:121:87 | jexlExpr : String | Jexl3Injection.java:53:74:53:88 | jexlExpr : String |
|
||||
| Jexl3Injection.java:121:24:121:87 | jexlExpr : String | Jexl3Injection.java:121:24:121:87 | jexlExpr : String |
|
||||
| Jexl3Injection.java:125:24:125:86 | jexlExpr : String | Jexl3Injection.java:59:73:59:87 | jexlExpr : String |
|
||||
| Jexl3Injection.java:125:24:125:86 | jexlExpr : String | Jexl3Injection.java:125:24:125:86 | jexlExpr : String |
|
||||
| Jexl3Injection.java:129:24:129:85 | jexlExpr : String | Jexl3Injection.java:65:72:65:86 | jexlExpr : String |
|
||||
| Jexl3Injection.java:129:24:129:85 | jexlExpr : String | Jexl3Injection.java:129:24:129:85 | jexlExpr : String |
|
||||
| Jexl3Injection.java:133:24:133:67 | jexlExpr : String | Jexl3Injection.java:71:54:71:68 | jexlExpr : String |
|
||||
| Jexl3Injection.java:133:24:133:67 | jexlExpr : String | Jexl3Injection.java:133:24:133:67 | jexlExpr : String |
|
||||
nodes
|
||||
| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:14:9:14:9 | e | semmle.label | e |
|
||||
| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:22:9:22:9 | e | semmle.label | e |
|
||||
| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:29:9:29:14 | script | semmle.label | script |
|
||||
| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:38:13:38:31 | callable(...) | semmle.label | callable(...) |
|
||||
| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:46:40:46:47 | jexlExpr | semmle.label | jexlExpr |
|
||||
| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:51:40:51:47 | jexlExpr | semmle.label | jexlExpr |
|
||||
| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:57:9:57:35 | parse(...) | semmle.label | parse(...) |
|
||||
| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:63:9:63:35 | parse(...) | semmle.label | parse(...) |
|
||||
| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | semmle.label | createTemplate(...) |
|
||||
| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:14:9:14:9 | e | semmle.label | e |
|
||||
| Jexl3Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:21:9:21:9 | e | semmle.label | e |
|
||||
| Jexl3Injection.java:24:39:24:53 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:28:9:28:14 | script | semmle.label | script |
|
||||
| Jexl3Injection.java:31:50:31:64 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:37:13:37:31 | callable(...) | semmle.label | callable(...) |
|
||||
| Jexl3Injection.java:43:57:43:71 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:45:40:45:47 | jexlExpr | semmle.label | jexlExpr |
|
||||
| Jexl3Injection.java:48:57:48:71 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:50:40:50:47 | jexlExpr | semmle.label | jexlExpr |
|
||||
| Jexl3Injection.java:53:74:53:88 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:56:9:56:39 | createExpression(...) | semmle.label | createExpression(...) |
|
||||
| Jexl3Injection.java:59:73:59:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:62:9:62:39 | createExpression(...) | semmle.label | createExpression(...) |
|
||||
| Jexl3Injection.java:65:72:65:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:68:9:68:37 | createTemplate(...) | semmle.label | createTemplate(...) |
|
||||
| Jexl3Injection.java:71:54:71:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:77:13:77:26 | callable(...) | semmle.label | callable(...) |
|
||||
| Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:97:24:97:56 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:97:24:97:56 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:101:24:101:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:101:24:101:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:105:24:105:52 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:105:24:105:52 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:109:24:109:63 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:109:24:109:63 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:113:24:113:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:113:24:113:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:117:24:117:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:117:24:117:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:121:24:121:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:121:24:121:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:125:24:125:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:125:24:125:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:129:24:129:85 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:129:24:129:85 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:133:24:133:67 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:133:24:133:67 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
#select
|
||||
| Jexl2Injection.java:14:9:14:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:14:9:14:9 | e | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:22:9:22:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:22:9:22:9 | e | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:29:9:29:14 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:29:9:29:14 | script | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:38:13:38:31 | callable(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:38:13:38:31 | callable(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:63:9:63:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:63:9:63:35 | parse(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:69:9:69:44 | createTemplate(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:14:9:14:9 | e | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:14:9:14:9 | e | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:21:9:21:9 | e | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:28:9:28:14 | script | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:28:9:28:14 | script | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:37:13:37:31 | callable(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:37:13:37:31 | callable(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:45:40:45:47 | jexlExpr | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:45:40:45:47 | jexlExpr | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:50:40:50:47 | jexlExpr | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:50:40:50:47 | jexlExpr | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:56:9:56:39 | createExpression(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:56:9:56:39 | createExpression(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:62:9:62:39 | createExpression(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:62:9:62:39 | createExpression(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:68:9:68:37 | createTemplate(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:68:9:68:37 | createTemplate(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:77:13:77:26 | callable(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:77:13:77:26 | callable(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-094/JexlInjection.ql
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
package org.apache.commons.jexl2;
|
||||
|
||||
public class DebugInfo implements JexlInfo {
|
||||
|
||||
public DebugInfo(String tn, int l, int c) {}
|
||||
|
||||
public String debugString() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public DebugInfo debugInfo() {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
package org.apache.commons.jexl2;
|
||||
|
||||
public interface Expression {
|
||||
Object evaluate(JexlContext var1);
|
||||
String getExpression();
|
||||
String dump();
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
package org.apache.commons.jexl2;
|
||||
|
||||
public interface JexlContext {
|
||||
Object get(String var1);
|
||||
void set(String var1, Object var2);
|
||||
boolean has(String var1);
|
||||
}
|
||||
@@ -0,0 +1,42 @@
|
||||
package org.apache.commons.jexl2;
|
||||
|
||||
public class JexlEngine {
|
||||
|
||||
public Expression createExpression(String expression) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Expression createExpression(String expression, JexlInfo info) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Script createScript(String scriptText) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Script createScript(String scriptText, JexlInfo info) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Script createScript(String scriptText, String... names) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Script createScript(String scriptText, JexlInfo info, String[] names) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Object getProperty(Object bean, String expr) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Object getProperty(JexlContext context, Object bean, String expr) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public void setProperty(Object bean, String expr, Object value) {}
|
||||
|
||||
public void setProperty(JexlContext context, Object bean, String expr, Object value) {}
|
||||
|
||||
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
package org.apache.commons.jexl2;
|
||||
|
||||
public interface JexlInfo {
|
||||
String debugString();
|
||||
DebugInfo debugInfo();
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
package org.apache.commons.jexl2;
|
||||
|
||||
public class MapContext implements JexlContext {
|
||||
|
||||
public Object get(String var1) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public void set(String var1, Object var2) {}
|
||||
|
||||
public boolean has(String var1) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
package org.apache.commons.jexl2;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
public interface Script {
|
||||
|
||||
Object execute(JexlContext var1);
|
||||
|
||||
Object execute(JexlContext var1, Object... var2);
|
||||
|
||||
String getText();
|
||||
|
||||
String[] getParameters();
|
||||
|
||||
String[] getLocalVariables();
|
||||
|
||||
Set<List<String>> getVariables();
|
||||
|
||||
Callable<Object> callable(JexlContext var1);
|
||||
|
||||
Callable<Object> callable(JexlContext var1, Object... var2);
|
||||
}
|
||||
@@ -0,0 +1,47 @@
|
||||
package org.apache.commons.jexl2;
|
||||
|
||||
import java.io.Writer;
|
||||
import java.io.Reader;
|
||||
|
||||
public final class UnifiedJEXL {
|
||||
|
||||
public UnifiedJEXL(JexlEngine jexl) {}
|
||||
|
||||
public UnifiedJEXL.Expression parse(String expression) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public UnifiedJEXL.Template createTemplate(String prefix, Reader source, String... parms) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public UnifiedJEXL.Template createTemplate(String source, String... parms) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public UnifiedJEXL.Template createTemplate(String source) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public final class Template {
|
||||
|
||||
public UnifiedJEXL.Template prepare(JexlContext context) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public void evaluate(JexlContext context, Writer writer) {}
|
||||
|
||||
public void evaluate(JexlContext context, Writer writer, Object... args) {}
|
||||
}
|
||||
|
||||
public abstract class Expression {
|
||||
|
||||
public UnifiedJEXL.Expression prepare(JexlContext context) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Object evaluate(JexlContext context) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
package org.apache.commons.jexl3;
|
||||
|
||||
public class JexlBuilder {
|
||||
|
||||
public JexlEngine create() {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
package org.apache.commons.jexl3;
|
||||
|
||||
public interface JexlContext {}
|
||||
@@ -0,0 +1,34 @@
|
||||
package org.apache.commons.jexl3;
|
||||
|
||||
public abstract class JexlEngine {
|
||||
|
||||
public JexlExpression createExpression(JexlInfo info, String expression) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public JexlExpression createExpression(String expression) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public JexlScript createScript(JexlInfo info, String source, String[] names) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public JexlScript createScript(String scriptText) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public JexlScript createScript(String scriptText, String... names) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public JxltEngine createJxltEngine() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public void setProperty(Object bean, String expr, Object value) {}
|
||||
|
||||
public Object getProperty(Object bean, String expr) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
package org.apache.commons.jexl3;
|
||||
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
public interface JexlExpression {
|
||||
Object evaluate(JexlContext context);
|
||||
Callable<Object> callable(JexlContext context);
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
package org.apache.commons.jexl3;
|
||||
|
||||
public class JexlInfo {
|
||||
public JexlInfo(String source, int l, int c) {}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
package org.apache.commons.jexl3;
|
||||
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
public interface JexlScript {
|
||||
|
||||
Object execute(JexlContext context);
|
||||
Object execute(JexlContext context, Object... args);
|
||||
Callable<Object> callable(JexlContext context);
|
||||
Callable<Object> callable(JexlContext context, Object... args);
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
package org.apache.commons.jexl3;
|
||||
|
||||
import java.io.Writer;
|
||||
|
||||
public class JxltEngine {
|
||||
|
||||
public Expression createExpression(String expression) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public Template createTemplate(String source) {
|
||||
return null;
|
||||
}
|
||||
|
||||
public interface Expression {
|
||||
Object evaluate(JexlContext context);
|
||||
Expression prepare(JexlContext context);
|
||||
}
|
||||
|
||||
public interface Template {
|
||||
void evaluate(JexlContext context, Writer writer);
|
||||
void evaluate(JexlContext context, Writer writer, Object... args);
|
||||
Template prepare(JexlContext context);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
package org.apache.commons.jexl3;
|
||||
|
||||
public class MapContext implements JexlContext {}
|
||||
Reference in New Issue
Block a user